5.1 Configuring a Default Administrative User from the LDAP Directory

On WebSphere, Oracle Platform Security Services (OPSS) supports LDAP-based registries only; in particular, it does not support WebSphere's built-in file-based user registry. For information about configuring an LDAP registry and seeding the registry with users and groups required by Fusion Middleware components such as Oracle WSM, see Chapter 6, "Managing Oracle Fusion Middleware Security on IBM WebSphere.".

By default, the Oracle WSM Policy Manager uses the wasadmin administrative user to communicate with the server. If this user is not available in the LDAP, you must configure the policy manager to use a principle administrative user from the LDAP as described in the following procedure.

The remaining steps in this procedure use the following sample primary user properties: cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com and orcladmin-csf-key for the jndi.lookup.csf.key that will be used for the administrator user access. The values for these properties will vary depending on your environment.

Update the credential store cwallet.sso file and the security role mappings using wsadmin commands as follows:

The syntax for the policyViewer property differs from that of the other properties in that it does not include the separating period. Specifically, the syntax for these properties is policy.Updater, policy.Accessor, policy.User,policyViewer.

Restart the server.

5.2 Configuring Oracle WSM on IBM WebSphere

The following sections describe how to configure Oracle WSM and connect to the policy manager:

To configure Oracle Fusion Middleware in a new IBM WebSphere environment, you use a special version of the Oracle Fusion Middleware Configuration Wizard as described in "Using the Configuration Wizard" in Configuration Guide for IBM WebSphere Application Server.

To configure Oracle WSM when you create or extend a cell using the Configuration Wizard, be sure to select the following options in the Add Products to Cell screen:

Oracle Enterprise Manager for WebSphere

Oracle WSM Policy Manager

If you plan to use asynchronous Web services, select Oracle JRF WebServices Asynchronous services also. For more information, see "Asynchronous Web Services".

Note:

Oracle JRF for WebSphere is automatically selected as a dependency when you select any of the above products.

5.2.2 Connecting to the Oracle WSM Policy Manager

In a WebSphere environment, the Oracle WSM Policy Manager does not run on the same server as Oracle Enterprise Manager. Therefore, the Oracle WSM automatic discovery feature cannot locate and connect to an Oracle WSM Policy Manager. To connect to the policy manager, use the following procedure:

In the navigator pane of Enterprise Fusion Middleware Control, expand WebSphere Cell to view the cells.

Select the cell for which you want to configure the policy manager.

Right-click the name of the cell and from the menu select Web Services then Platform Policy Configuration.

For information about additional properties you can set on the Policy Accessor tab, see "Configuring Web Service Policy Retrieval" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

Optionally, select the Policy Cache tab.

The Policy Cache tab allows you to tune the behavior of the policy cache delay for Web service endpoints, which can help to avoid network calls and increase performance when fetching policies from a remote Oracle WSM Policy Manager.

To modify an existing policy cache property, select it and then click Edit. In the Edit Policy Cache Property window, you can edit the Value field to change the default amount for the property.

You may want to edit the following property:

cache.tolerance – This ensures that the policy set retrieved from the Web service endpoint policy cache is the most current version (that is, it has not exceeded the cache.tolerance value). If it is determined that the policy set is stale, the updated policy set is retrieved from the Oracle WSM policy manager and refreshed in the Web service endpoint policy cache. The default is 60000 milliseconds (1 minute).

To add another property, click Add, and in the Add New Policy Cache Property window, specify the necessary values.

5.3.1 High Availability

Not all high availability (HA) features may be available at the same quality of service levels as WebLogic Server.

For example, Jython scripts are not available to configure the Java Object Cache in a clustered environment.

5.3.2 Asynchronous Web Services

Asynchronous Web services are supported on platforms other than WebLogic Server. For asynchronous Web services to function, the following JMS default queues must be present:

oracle.j2ee.ws.server.async.DefaultRequestQueue

oracle.j2ee.ws.server.async.DefaultResponseQueue

oracle.j2ee.ws.server.async.DefaultRequestErrorQueue

oracle.j2ee.ws.server.async.DefaultResponseErrorQueue

weblogic.jms.XAConnectionFactory

To create these queues, you must configure Oracle JRF Asynchronous Web Services using the Oracle Fusion Middleware Configuration Wizard. You do so in the Add Products to Cell screen in the Configuration Wizard as described in "Configuring Oracle WSM". Once you have created or extended a cell with this template, the JMS queues are available for use.

5.3.3 JDeveloper

When using JDeveloper, the remote Oracle WSM policy store on a WebSphere server is not available.

5.4.1 Automatic Discovery of Oracle WSM Policy Manager

Automatic discovery of the Oracle WSM policy manager is not supported by third-party application servers, such as WebSphere. For details about connecting to the policy manager, see "Configuring Oracle WSM on IBM WebSphere".

5.4.2 Web Services Atomic Transactions

Web Services Atomic Transactions (WSAT) are not supported and will result in runtime errors.

5.4.3 No Support for Native Web Services

Native Web services, such as those that are deployed to a stack other than the Oracle Infrastructure Web Services stack, are not exposed in the WSIL. Only the deployed Oracle Infrastructure Web Services are listed. The WSIL application is deployed on every server as part of the JRF template and the URI to access the application is /inspection.wsil. The wsil application uses basic HTTP authentication to ensure that only authorized users can access the list of Web services.

5.4.4 Reliable Messaging

WS-Reliable Messaging (WS-RM) is supported on IBM WebSphere with the following limitations:

WS-RM includes support for persistent database (DB) message store with Oracle databases only.

WS-RM supports clustering only when Coherence is installed and available. This behavior is the same as WebLogic Server on all the platforms where Coherence is available.

5.4.5 Enterprise Manager Fusion Middleware Control

On IBM WebSphere, you access the Web services pages in Fusion Middleware Control using either of the following methods:

From the main WebSphere Cell menu, select Web Services, then the desired Web services page, as shown in Figure 5-3.

In the navigation pane, right-click on the target cell name, then select Web Services, then the desired Web services page.

The following limitations and differences apply when managing Web services using Fusion Middleware Control:

You cannot view or manage Web services at the server level.

The bulk policy attachment feature is not available.

The registered sources and services, and publish to UDDI features are not available.

The Application Deployment Summary page does not include the list of Web Services, or the Most Requested table.

Native WebSphere Web services are not supported.

The Usage Analysis page displays the WebSphere cell and server names.

5.5 Using the Web Services wsadmin Commands

The Web services wsadmin commands are identical to the custom Web services WebLogic Scripting Tool (WLST) commands provided for WebLogic Server. The Web services commands are grouped into two categories:

WebServices—These commands consist of the Web service and client management commands, and the policy management commands. For a complete list of these commands, see "WebServices wsadmin Commands".

wsmManage—These commands consist of the policy set management commands, the import/export repository commands, and the Oracle WSM repository maintenance commands. For a complete list of these commands, see "wsmManage wsadmin Commands".

Note:

Because the Oracle WSM Policy Manager is security enabled, you must pass Java system properties, such as username and password, when invoking wsadmin. For details about invoking wsadmin and using the wsadmin commands, see "Using the Oracle Fusion Middleware wsadmin Commands"

5.5.1 Executing the Web Services wsadmin Commands

To execute the wsadmin commands, you must prefix each command with the category name. That is, each command in the WebServices category must be preceded by WebServices, and each command in the wsmManage category must be preceded with wsmManage. For example:

To execute a command in the WebServices category, such as the listWebServices() command, enter the following:

5.5.2 WebServices wsadmin Commands

The following table identifies the WebServices management wsadmin commands that are supported on WebSphere, and provides links to the reference documentation in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. Sample procedures for using the commands are described in the following chapters in Oracle Fusion Middleware Security and Administrator's Guide for Web Services:

You can use these commands as described in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference and Oracle Fusion Middleware Security and Administrator's Guide for Web Services. However, in a WebSphere environment, you must execute the commands as described in "Executing the Web Services wsadmin Commands".

Configure the Web service port policy override properties of an application or SOA composite.

5.5.3 wsmManage wsadmin Commands

The following table identifies the wsmManage commands that are supported on WebSphere, and provides links to the reference documentation in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. Sample procedures for using these commands are described in the following chapters in Oracle Fusion Middleware Security and Administrator's Guide for Web Services:

You can use these commands as described in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference and Oracle Fusion Middleware Security and Administrator's Guide for Web Services. However, in a WebSphere environment, you must execute the commands as described in "Executing the Web Services wsadmin Commands".

Import a set of documents from a supported ZIP archive file into the repository. You can provide the location of a file that describes how to map physical information from the source environment to the target environment.

Export a set of documents from the repository into a supported ZIP archive. If the specified archive already exists, you can choose whether to overwrite the archive or merge the documents into the existing archive.

Delete the existing policies stored in the Oracle MDS repository and refresh it with the latest set of predefined policies that are provided in the new installation of the Oracle Fusion Middleware software.

Scripting on this page enhances content navigation, but does not change the content in any way.